Month: June 2014

HTTP Verb Tampering

Okay, so I had done some research on verbs tampering lately, and most of you could get this information in the floating web. What’s not included is the fact that there are really three relevant methods to tamper and byass the VBAAC (Verb Based Authentication and Access Control) which is a security descriptor in and contains a security rule specified under certain web environments. To make the process easy and flexible, here is a small bash script one could use:

The 3 possible ways to bypass VBAAC are:

a.) Via the HEAD Verb (as a request method)

b.) Via any arbitary method (but the calling function should not rely on a servlet {HttpServlet} but instead any service e.g: JSP service etc .. )

The following code would take you (as a web application penetration tester) to test if certain entry points using common request methods are allowed are not, if allowed, you would be prompted with the “RESPONSE” with use of “OPTIONS” as a request header (if at all OPTIONS is allowed, obviously!), if not, this script would try to get response for all the provided methods in the ‘webservmethod’, if methods are not allowed, you would see “Method Not Allowed” in the response.